Search This Blog

Posts

Difference
DTLS is used for
delay sensitive applications (voice and video) as its UDP based while TLS is
TCP based
DTLS is supported
for AnyConnect VPN not in IKEv2 How it works? SSL−Tunnel is
the TCP tunnel that is first created to the ASAWhen it is fully
established, the client will then try to negotiate a UDP DTLS−TunnelDuring DTLS negotiation,
traffic will be passing over TLS tunnelWhen the DTLS−Tunnel is
fully established, all data now moves to the DTLS−tunnel and
the SSL−tunnel is only used for occasional control
channel trafficIn case of failures in
establishing DTLS Tunnel, traffic will continue passing over TLS tunnelAfter establishing DTLS, in
the event of failure in DTLS Tunnel, traffic will pass over TLS tunnel
until DTLS tunnel is reestablished How Data is Forwarded? For each packet there is a
part in AnyConnect client code which decides whether to send the packet
over TLS or DTLSIf the DTLS tunnel is
established, …

Why do we need it?
During encryption,
additional overhead will be added to the packets made by new headers and
features. This means that the actual size of the unencrypted TCP segment or UDP
datagram which holds the application will be reduced because the MTU of the
adapter is still same.
For example with
Ethernet and MTU of 1500-bytes, the unencrypted TCP segment can't be more than
1460-bytes. With encryption, for Ethernet and MTU of 1500, the unencrypted TCP
segment can't be more 1380 (can be different value). The 80-bytes difference are
utilized by encryption overhead.
Now the
value of unencrypted TCP segment can be more which leads to MTU more than
1500-bytes but this will cause the networking devices to fragment the packet
which is bad and should be avoided.
AnyConnect client
builds Virtual Adapter (VA) during installation on the clients machine. This VA
will receive unencrypted traffic and emulates Ethernet to forward traffic after
encryption. The actual traffic then g…